Pages

Thursday, November 6, 2014

Using Autopsy to examine an Android image

A solid, open source tool


All blog posts to date
Autopsy is an open source digital forensics tool by Basis Technologies.  This is a powerful free tool with many of the same capabilities as the expensive tools (FTK, EnCase).  Some people in the digital forensics community will debate until they are blue in the face over whether open source forensics software is better or if paid software is better.  This is a debate from which I will spare my readers, but I'll say this: Autopsy is a fantastic tool.

I've had all kinds of success with Autopsy before.  There have been several times where FTK Imager did not properly load an image.  Errors included not recognizing the image as an image or missing partitions.  In all cases where FTK Imager has made these sorts of mistakes, Autopsy has come through for me.

And on top of the above statement, I was using an old version of Autopsy which did not include specific Android functionality.  I was using a version of Autopsy which was reading a disk image as a disk image, not as specifically an Android image.  Autopsy's file system engine does an incredible job at identifying partitions and file systems.  This has been a tool which I have used with all kinds of success.

In this post, I will load an image of my personal Nexus 5 into Autopsy and will show some of the useful functionality for investigations.  I created the image using the same method in my post on live imaging an Android device.

Getting started
Download and install the newest version of Autopsy from this link.  (Note: the downloads are for Windows.  You can download the source for Autopsy and compile it for Linux.  I have not done this yet but intend to soon.)

Once the software is installed, open Autopsy and create a new case.  Fill in the basic info.  The entry for "Base Directory" is where you intend to store data related to cases.  This directory is not necessarily where you store an image you intend to examine and analyze, but it stores information and analyses about the image.  Be advised, this directory can get filled up quickly.  My phone is 32 gigabytes, and my base directory now contains 7 gigabytes of data.



Next, add your Data Source, or your image.



Autopsy has several "ingest modules" built in for analysis.  These ingest modules identify files and extract known data as records, such as emails or time-based data.  You can select or deselect whatever modules you want.  The more ingest modules you select, the more time and disk space the analysis will take, but you also may find more insight about the image with more modules.  Do be sure to select the "Android Analyzer" module when analyzing an Android image.




You can also optionally give a case number or an investigator name.  Yes, you are an investigator, so take credit.

Once the case is created, you can see the main Autopsy interface.



At this point, analysis will be ongoing.  The ingest modules each pass through the image to find relevant data.  In the bottom right corner there is a status bar which you can click on to see analysis status.  In the below shot, there are three different ingest modules working simultaneously.




Depending upon how big the image is, how many files are in the image, how many modules you select, how much disk storage space you have, how fast your computer's processor is, and how much RAM you have, analysis may take a while.  I'm running Autopsy on a Windows netbook and analyzing an image of a 32 gigabyte phone took around an hour.  You can browse around the image and do some investigation before the ingest modules are done, but you will be viewing incomplete results.  For example, there is a great tool for timeline analysis which I will show later in this post.  If you try to do a timeline analysis before the modules are complete, there will be evidence missing from the timeline.

You also can always wait for the analysis to complete before getting started.

Android Analyzer module
I indicated above to enable the Android Analyzer module.  This module will identify files containing contact data and communications records.  I said above that ingest modules will extract records and present them to the investigator.  The below screenshot indicates that Autopsy identified Call Logs, Contacts, and more.  I can tell you that the Android Analyzer ingest module is to credit for these finds.  You can click each of these and see what data was collected.





Android by default stores your text messages in a SQLite database in the file /data/data/com.android.providers.telephony/databases/mmssms.db, and you can load this file into a SQLite database viewer to see the SMS.(Note:  one of these days I intend to do a post on viewing SQLite database files.  The long and short of it is Android apps, including SMS and phone dialer and contacts, use SQLite databases to store data.  The apps present data in their own ways, such as SMS conversations, but you can always view the raw data stored as it is stored in a SQLite database viewer.)

Below is how Autopsy presents SMS.



(Black boxes inserted for privacy.)

Convenient?

Here is the call log ...




... and here is the contacts list.



Browsing the image
Autopsy allows you to browse through the image.  The below screenshot shows all of the partitions which Autopsy identified.  You can see the userdata partition, which will store most of the data about the user.



And then you can browse through the individual partitions.




You can view individual files as text or hex.  You can also see extracted strings and metadata about the file.  And picture files load as pictures.

Timeline
One of Autopsy's best features is the timeline.  Autopsy will find events associated with a date and time, such as text messages or call logs or any other time-based events, and make a timeline of events.  As an investigator, I always like to create a timeline of events which a digital device has recorded because all of these events ultimately tell the story about a person using the device.

To create a timeline, go to Tools -> Timeline.  (Wait for all ingest modules to finish first.)  Then wait for a bit, and when the timeline is ready it opens in a new window.




The timeline clearly indicates a lot of activity in 2013-2014.  But you may also see a weird anomaly around 1970.  Do not worry about those or the odd 2008 files as those are Linux and Android artifacts, respectively, and they deal with "Unix time" or "epoch time."  For a quick explanation on how Linux keeps time, check out this Wikipedia page.

You can zoom in to see detailed events.  The following is my phone events from October 10-23 2014.



The bar colors represent different events as seen in the legend on the timeline.




You can choose to view "Details" instead of "Counts" which allows you to see what events occurred.



And then you can also zoom in for more details.  I see that there is an SMS event, so I chose to see details of the event.  (SMS message blacked out for privacy.)




The timeline is just an incredibly useful tool.  And it is a tool that the more you use it, the more uses you find with it.

More features
Autopsy has many more features which I'll let you explore.  But just to list a few that I've used before:

  • Plugins
    • You can download plugins to act as further ingest modules or even develop your own
  • Extract files
    • You can extract files to analyze them with other tools, such as a hex editor of choice or an advanced media file analysis tool
  • Report
    • Like with other forensic tools, you can tag files of interest and generate a report highlighting important files and other findings
  • Known hashes
    • If you have a list of hashes of known files you are interested in finding, you can load this hash set into Autopsy and it will let you know if it found these files
  • Carving
    • Autopsy includes Scalpel for data carving

Summary
  • Autopsy is an awesome tool.  This point deserves an individual bullet
  • You can browse an image like in FTK Imager but I've had cases where FTK Imager fails to load an image properly and Autopsy has correctly loaded the image
  • Ingest modules process through evidence and extract useful records
  • The Android Analyzer ingest module can extract contacts, SMS, Calls, and more
  • Autopsy's timeline tool is incredibly useful in investigations
Questions, comments, suggestions, or experiences?  Open source vs paid forensic software debate? Leave a comment below, or send me an email.

4 comments:

  1. I am glad you are finding Autopsy and the new timeline feature usefull. Please fell free to report any issues/bugs you find on the git hub site (https://github.com/sleuthkit/autopsy/issues) and we will do our best to address them.

    ReplyDelete
  2. how to analyze my android device's dd image.. as disk or as partition using autopsy in kali linux..No Android Analyzer module in this linux versions

    ReplyDelete
  3. How to capture an Android device to dd image file? Or some other file type like img, bin,...?

    ReplyDelete
    Replies
    1. This post should do it ... http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html

      Delete